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(57) Abstract 

A system (100) and method for preventing a copy of a document to the ouq)ut from a printing node (130) until the printing node 
(130) authenticates the intended recipient. The system (100) includes the sending node (1 10), the printing node (130), and a communication 
link (120) coupling these nodes (110. 130) together in a networic fashion. The sending node (1 10) has access to a public key (210) of 
the printing node (130) and uses this public key (210) to encrypt a header (265) and document (255) before transmission to the printing 
node (130) over the communication link (120). The printing node (130) has access to its private key (21 1) to decrypt the header (265) to 
ascertain whether the document (255) requires authentication by the intended recipient before being output. 



FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify Stales party to the PCX on the front pages of pamphlets publishing international applications under die PCT, 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovenia 


AM 


Armenia 


n 


. Finland ' . 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


FR 


France 


LU 


Luxembourg 


SN 


Senegal 


AU 


Australia 


CA 


Gabon. 


LV 


Latvia ' 


sz 


Swaziland 


AZ 


Azerbaijan 


GB 


Untied Kingdom 


MC 


Monaco 


TD 


Chad 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BE 


Belgium 


GN 


Guinea 


MK 


The former Yugoslav 


TM 


Turkmenistan 


BF 


Burkina Faso 


GR 


Greece 




Republic of Macedonia 


TR 


Turkey 


BG 


Bulgaria , ^ 


HU 


Hungary 


ML 


Mali 


TT 


Trinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


IL 


Israel 


MR 


Mauritania 


UG 


Uganda 


BY 


Belarus 


IS 


Iceland 


MW 


Malawi 


US 


United States of America 


CA 


Canada 


IT 


Italy 


MX 


Mexico 


uz 


Uzbekistan 


CF 


Central African Republic 


JP 


Japan 


NE 


Niger 


VN 


Viet Nam 


CG 


Congo 


KE 


Kenya 


NL 


Netherlands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


Norway 


zw 


Zimbabwe 


CI 


C6ie d*Ivoire 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


PL 


Poland 






CN 


China 


KR 


Republic of Korea 


PT 


Portugal 






cv 


Cuba 


KZ 


Kazakstan 


RO 


Romania 






cz 


Czech Republic , 


LC 


Saint Lucia 


RU" 


Russian Federation 






DE 


Germany 


LI 


Liechtenstein 


SD 


Sudan 






DK 


Denmark 


LK 


Sri Lanka 


SE 


Sweden 






EE 


Estonia 


LR 


Liberia 


SG 


Singapore 







APPARATUS AND METHOD FOR PREVENTING 
DISCLOSURE THROUGH USER-AUTHENTICATION 
AT A PRINTING NODE 



CROSS-REFERENCES TO RELATED APPLICATIONS 

One of the named inventors of the present application has filed 
co-pending United States patent applications entitled "Apparatus and 
Method for Providing Secured Communications" (Application No. 
08/251.486); "Roving Software License for a Hardware Agent" 
(Application No. 08/303,084); and "Method for Providing a Roving 
Software License in a Hardware Agent-Based System" (Application No. 
08/472.951). These applications are owned by the same assignee of 
the present Application. 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

The present invention relates to the. field of data security. More 
particularity, the present invention relates to a system and" method for 
preventing a printing node from outputting confidential information until 
confirmation that an authorized recipient of the confidential information 
is proximate to the printing node. 

2. Description of Art Related to the Invention 

With the continual emergence of smaller, faster and more 
powerful computers, many businesses are currently implementing 
"distributed" networks (e.g., local area networks and the like). These 
networks are advantageous in that each user has control over his or hen 
own personal computer. Moreover, for economic reasons, multiple . 
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users can be connected to less frequently used hardware equipment 
such as printing nodes located in a public area accessible to all users. 
For the scope of this application, a "printing node" is defined as a stand- 
alone hardware device which can receive, temporarily store, and print 
or-otherwise display data from a personal computer or any other 
transmission device. For 'example, a printing node may be represented 
as a printer, a printer operating in combination with a print server, a 
facsimile machine, a plotter^ a remote monitor and the like. 

A frequent problem experienced: by distributed networks involves 
protecting confidential or proprietarv information within documents 
(hereinafter referred to as ."sensitive" documents) from, being mistakenly 
orintentionally read by unauthorized persons. Since the printing node 
is positioned in a public area, upon transmission of a print job to the 
printing node, the sender must immediately walk or run over to the 
printing node to pick up the: sensitive document in order to protect the 
confidentiality of the information contained therein. In the event that the 
printing node is experiencing a temporary problem (e.g., jammed, out of 
paper, low on toner, etc.) or is queued with other print jobs, the sender 
must wait at the printing node for the problem to be corrected or for the 
print job to be performed. 

Alternatively, if available, the sender could return to his or her 
computer and cancel the print job associated with the sensitive 
document. But. of course, there is a risk that the document will be 
printed or displayed during the sender's return to his or her computer. 
However, if the print job is mistakenly sent to a different printing node, 
perhaps an off-site printing node, there are relatively few available 
options to protect the sensitive document from being printed or 
- displayed and possibly read by an unauthorized individual if the 
• sending error is detected after the print job has begun. 

Regardless of whether print jobs may or may not be canceled, for 
distributed networks, persons waste valuable work time waiting around 
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the. printing nodes for sensitive documents. Such waste adversely 
affects the productivity of the sender and his or her conripany. - 

Another problem experienced by distributed networks is . . 
protecting confidential information in sensitive documents froni public 
,view. when printed for another person :{e.g.(:, a co-vy,ori<er) at another site. 
Of course, the sensitive document could be electronically mailed to the 
co-worker in an encrypted format. Someti«;nes,-hqweverr it may-be 
undesirable to electronically send a sensitive document because of the 

■ possibility that it could be. altered and/br ^lectroriScaliy -forwarded to 
unintended recipients. Of course, the dofcument eould'be^^printigd and 

, mailed to the oo-worker but there exist obvious disadvantages such as 

).':time delay.'mail security, etc.: ThUs, it Wduld^alsG be advahtagepus to 
ci-eate a system and method which" eliminates the meffia6Tici€ls' ' ' 
associated with protecting sensitive iiiformMbri'prihted fyom a printing • 

•J tnode intended for the sender orvanother intended reciprent. ■ ' ■ 

SUMMARY OF THE INVENTION 

The present invention relates to a "system and method for 
preventing a copy of a document from being output (printed, displayed, 
etc.) by a printing node until the printing node locally authenticates the 
intended recipient... The system includesja sending node, a printing 
node and a communication link coupling these nodes together in a 
network fashion. The sending node has access to a public key of the 
printing node.an.d uses this public key to, encrypt a header and • 
dpcument before transmission to the printing node over the , 
communication link. The printing node has access to its private key to 
decrypt the header to ascertain whether the document is "sensitive" (i.e., 
requires recipient authentication before priority), If so, the printing node 
locally buffers the document until it receives authorization to output the 
document. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The features arid advantages of the present invention will 
become apparent from the following detailed description of the present 
invehtioh in which: * • 

, Figure 1 is a simplifieid block diagram of a distributed, secure 
^ network system comprising a sending node and a printing node. 

Figures 2a and 2b are block diagrams of a network system 
using different verification methods concerning the public key of the 
printing node and both transferring an encrypted header and document 
. from the sending node.to the printing node. 

Figure 3 is a flowchart illustrating the method for ensuring that a 
sensitive docunient tagged as containing confidential information will 
not" be output until the recipient present. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

The present invention relates to an apparatus and method for 
, preventing the printing of a sensitive document at a printing node until 
the intended recipient authorizes such printing to occur. Although 
numerous details are set forth in order to provide a thorough 
understanding of the present invention, it is apparent to a person of 
ordinary skill in the art that the present invention may be practiced 
through many different embodiments in addition to that. embodiment 
illustrated without deviating from the spirit and scope of the present 
invention? In other instances, well-known circuits, elements and the like 
are not set forth in detail in drdier to avoid unnecessarily obscuring the 
present invention: ■ 

In the detailed description, a number of cryptography-related 
terms are frequently used.to. describe certain characteristics or qualities 
, which is defined herein. A "key" is an encoding and/or decoding 
parameter for a conventional cryptographic algorithm. .More specifically, 
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the key is a sequential distribution ("string") of binary. data being "n" bits 
in length, where "n" is an arbitrary number. A "document" is generally 
defined as a predetermined amount of data such as one or more pages 
of data being transferred in a sequence of bus cycles. A "digital 
certificate" is defined as a set of any digital information cryptographically 
bound together through use of a private key by a widely known tnjsted 
authority (e.g.. bank, governmental entity, trade association, equipment 
manufacturer, company security, system administration, etc.). A "digital 
signature" is a similar technique used to assure integrity of a message, 
using the private key of the message originator. 

Referring to Figure 1, a simplified version of a distributed, 
secure- network system configured to prevent'sensitive documents from 
being mistakenly printed is shown. The secure network system 100 
includes at least one sending node 110 coupled through 
communication lines 120 to a printing nod^ 130. Although not shown, 
more than one sending node could be coupled to the printing node 130 
through shared or independent communication simiiar to lines 120. As 
secure network systems gain greater commercial acceptance, a 
document will generally be encrypted within the seeding node 110 
before it.is placed on the communication line(s) 120. This will protect 
against -an iriterloper gaining access to the confidential information as it 
is transmitted to the printing node 130. Thus, the printing node 130 
preferably includes software or hardware, such as disclosed in'the 
above cited cross-referenced applications; to decrypt the document 
before out putting. • 

Referring now to Figures 2a-2b, illustrative embodiments of the 
network system using an asymmetric key technique adopted by the 
sending and printing nodes 110 and 130 are shown. This asymmetric 
technique uses two separate keys (referred to as a "public key" and 
"private key") for encryption and decryption purposes. To establish 
unidirectional communications from the sending node 1 10 to the printing 
node 130. the public key of a printing node ("PUK") should be initially 
accessible to the sending node 1 10 through any one of several 
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verification -methods such as through a network-based printer-key server, 
through an initialization of all network nodes with relevant printer public 
keys as they are added to the network, or through any other conceivable 
rnethod. Each of these possible methods may use one or more digital 
certificates issued by at least one trusted authority to obtain PUK and 
substantiate its authenticity of the printer node! 

One method of obtaining and verifying PUK is shown in Figure 
2a. A trusted authority such as a printing node manufacturer 225 

. produces the printing node 1 30 having a public key ("PUK") 210 and a 
private key' (■■'PRK") 21 T within a non-volatile storage element 205 

■■■ implemented within the priRting- node 1 30. In addition, the manufacturer 
225 stores a printing node certificate ("PNCert") 215 within the non- 
volatile storage-element 205.- the printing node certificate PNCert 215 
is equivalent' to at least PUK 21 0 encrypted with a private key ("PRKM") 

= 226 of the manufiacfuriei^ 225. After verification and storage of PUK in a 
non-volatile storage element 235 of the sending node 110, the PNCert 
215 may also be stored in the non-volatile storage element 235. Such 
Storage is optional because PNCert 215 would not be needed again 
unless PUK 210 is corrupted or accidentally removed from sending 
node 110. 

After connecting the printing'node to a network and distributing 
PNCeri 215 to the sending node 110 coupled to the network, the 
sending node 1 10 can use PNCert 215 to verify (i) the authenticity of the 
printer node's public key ("PUK") at its initial distribution and (ii) the 
characteristics of the 'printing hode (i.e., whether it is able to enforce, 
recipient authentication procedures). Such verification may be 
accomplished by a local trusted authority 230 (e.g., a systeni 
" administrator or security office of an entity owning the printing node) 
issuing a verification certificate ("VCert") 240 being the public key of the 
manufacturer ("PUKM") 227 encrypted with the private key of the local 
trusted authority ("PRKLTA") 231 . The public key of the local trusted 
authority ("PUKLTA") 232 would be widely available to'the users of the 
network. The vei^ification certificate 240 may be decrypted to obtain 
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PUKM 207 which can be used to obtain PUK 210 by decrypting PNCert 

.:,..215.. . 

Another example of a method which can obtain as well as verify 
PUK is shown in Figure 2b in whicfi the local trusted authority 230 
internally certifies PUK 210 before providing it 'to the sending node 110. 
As shown, the local trusted authority 230 obtains PUK 210 from the 
printing node 1 30 by decrypting PNCert,21 5 using the public key of the 
printing node nrianufacturer "PUKM" 227, Thereafter, the local trusted 
authority 230 creates a locally generated iverification, certificate > , 
{"LyCert")-24j5. and.. sends LVCert 245.tOithe sendi-ng node. 1:10. Similar 
.to PNCert of .Fig.ur^ 2a, LVCert.;245 may-be stored in- th.& nonvolatile 
.storage element 235 after verification of PUK^.210 if desired.. The ,: 
, sending node 110 decrypts LVCert 245 using PUKLT^A 231 which is 
widely available. As a result;. thej sending node A 1=0 obtains, PUK 210 
; which is. subsequently stored in -th.e, non-yol.atile storage element 235. 

As shown in both Figures 2a an.d 2b. after the public key "PUK" 
210 of the priority node 1 30 is available to the sending node 1 10. the 
sending node 110 can encrypt a document 250 under an asymmetric 
"Rivest Shamir Adiemann" ("RSA") algorithm using PUK 210. This 
forms an encrypted document 255 to be transmitted to the printing node 
130. Additionally, a header 260 for the document is encrypted using the 
public key "PUK" 210 of the targeted printing node 130 producing an 
ericrypted header 265. As an alternative to RSA encryption of the print 
job, "header" may contain a "session key" that is then used by both the 
sender and receiver to perform the required cryptographic operations 
on the document.- It is well-known that a "header" is a common . 
technique to reduce the computational performance normally 
associated with public key cryptography,- especially for large data. sets. 
However, for this invention, the header 260 includes control information 
which allows the printing node 130 to support various functions. 

For example, the header 260 may include control information 
indicating that the document is a "sensitive" document by selecting the 
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document to have a certain "confidentiality" level thereby requiring on- 
site authentication of the intended recipient before printing if the 
confidentiality level exceeds a predetermined (or normal) level. Another 
, . example' is for the header 260 to include a public key of the Intended 
recipient of a printed copy of sensitive document. Thus, before printing 
the "sensitive" docurtient, the "printing node 130 would confirhi that the 
recipient is. present through, one of a number of authentication 
techniques (discussed belovi') using the public key of the intended 
- .recipient. A further example is that the control information may include 
. .tag information such "as a '"print only" tag. This tag would allow the 
"sensitive" document 250 to be printed frorh the printing node 130 but 
would not allow the document 250 to be stored in its text.format in 
memory. A logical extension of this "print only" tag Is the control 
inform^tibh includihg a parameter which indicates the number of times 
the' "sensitive" dbcument could be printed. 

in a preferred embodiment, a print job being a concatenation of 
the encrypted header 265 and the encrypted document ,255 is ' 
transferred through a public domain 270 and into the printing node 130. 
The printing node 130 first decrypts the encrypted header 265 using 
PRK 21 1 to ascertain whether the encrypted document 255 contains 
confidential information requiring the printing node 130 to refrain from at 
least printing the document 250 until the intended recipient is present at 
the printing node 130. Thus, the document 250 is temporarily stored in 
buffer memory (not shown) within the printing node 130 preferably, but 
not necessarily, in its encrypted format. Upon receiving confirmation 
that the intended recipient is present, the encrypted document 250 is (i) 
retrieved from the buffer memory, (ii) decrypted, and (iii) printed. 

' ■ It Is contemplated that there may exist conditions when the 
document is not retrieved or the buffer memory becomes full.- In these 
and other related conditions, it may be necessary to "flush" (i.e., delete 
from memory) certain unretrleved documents from the buffer memory 
thereby freeing up memory space. This may be perforrned 
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automatically through software and/or hardware or manually by a 
system administrator, users of the network and the like. 

There are a riumber of authentication techniques to confirm that 
the intended recipient is present at the printing node. One technique is 
to await a personal. identification numbeif ("PIN") of the- intended . 
recipient to be entered through a-keyboard and numberpad on the 
printing node before -starting a print job of a sensitive document'.,.: In this 
case, the printing node may contain memory storing PINs associated 
with each recognized public key or.the PIN may be transmitted to the 
printing node through the. header. ..-=:v; - 

Another'technique is to enter a 'Yelease code" through the . 
keyboard. The release code is job-specific being .gen^erate.d by the 
sending node at print-time and included in.the header, Th^ release 
code is displayed on the display monitor of the computer for a brief 
period, of time to provide the user sufficienit information to. retrieve the 
print job. If the intended recipient is not the sending user; .the sending 
user may communicate the release code through a telephone call, 
electronic mail, or any other means to the intended recipient. 

Yet another technique is to use some type of authenticating token 

such as a PCMCIA identifier card or smart card which can be inserted 
into the printing node. Instead of requiring the printing node to maintain 
a record of token identifications, the public key of the token vyould be 
included in the header and transmitted to the printing node preferably in 
an encrypted format. Thus, the printing node would heed to sinriply 
match the public key of the token to the public key previously received in 
the header of the print job and execute a standard challenge/response 
protocol with the token. Such a challenge/response protocol ensures 
that the token is authentic by proving the token is in possession of the 
private key corresponding to the header-specified public key. 

A fourth technique is to utilize an access control technique called 
"biometrics*' which uses a capturing device primarily for facility security 
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(e.g., buildings, rooms, etc.). Biometrics involves sensing a 
characteristic of the user (e.g., finger print, iris, retina, etc.) to capture a 
single frame of data (generally referred to as "data frame") or more likely 
mult.iple data frames of the characteristic and comparing the captured 
data frames with a previously stored master. If each of the captured 
data frames compare, correctly to the stored master, the user is identified 
and authenticated. 

' Refei-ring now to Figure 3, a flowchart illustrating the operations 
of the'network system are shown. First, the document must be identified 
as a "sensitive" document or a normal document depending on whether 
confidential and/or proprietary information is contained in the document 
(Step 300). If a normal document, upon transmitting the document to a 
printing node, the sending , node creates a header including disclosure 
protection information such as "print-only" tags which restrict the 
document to only be printed, mitigating any chances to modify the 
document (Steps 305-310). Thereafter, the header and document are 
encrypted before being transmitted to the printing node. 

However, if the document is "sensitive", upon transmitting the 
document to a printing node, the sending node creates a header 
including information necessary to authenticate the intended recipient 
(public key, tokens and the like) and any information needed for 
additional disclosure protection (Steps 305, 315). If the authentication 
information is a release code, the release code must be displayed on a 
display monitor of the sending node to enable the intended recipient to 
instruct the printing node to begin printing the sensitive document (Step 
320 and 325). Thereafter, the header and document are encrypted 
forming a print job and the print job is transmitted to the printing node 
(Step 330). 

Upon receiving the print job, the printing node decrypts the 
header to determine whether the document is a "sensitive document" 
(Step 335 and 340). If the document is a normal document, the printing 
node decrypts the document (Step 355) and subsequently prints the 
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document (Step 360). However, if a sensitive document, the printing 
node stores the encrypted document in an internal buffer memory (Step 
345) and awaits authentication by the intended recipient that he or she 
is near the printing node (Step 350). Upon receiving authentication 
through providing a PIN. release code, ah authentication token and the 
like, the printing node decrypts the document and 'thereafter prints the 
document (Steps 355 and 360). It is contemplated that tHe sensitive 
document may be decrypted, prior tq.Step 345 so that once the intended 
recipient is identified, tine sensitive docu "lent is.queged. for printing and 
printed (Step 360). 

The invention dfescrifcted herein may be designed in hriany 
'• different methods' and using rriany differeWt configurations." A/Vh'ile the 
■ priese'nt invention has been described' in terms of various enibodiitients, 
other embocliments rhay come to mind to those skilled in the art without 
departing from the spirit arid scope of the present invention. The 
invehtioh should, therefore, be measured in terms of the ciainhs which 
follows. 
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CLAIMS 

What is claimed is: 

■ 1. A metliod for preventing a printing node from outputting a 
copy of a document until an intended recipient of the document is 
authenticated near the printing node, the method comprising the steps 
of: 

, . selecting a coafidentiality level for the document, the 
docum.ent being a portion of a print job; 

• creating a header for said print job, said header being a 
. first .header if said, confidentiality level is greater than or equal to 
a predetermined level, said first header containing at least (i) 
information to authenticate, the recipient and (ii) control 
" information including at least said confidentiality level; 

transmitting said print job to the printing node; 
analyzing said header to determine if the confidentiality 
level is greater than or equal to said predetermined level, 
wherein if so, outputting the document once the recipient is 
authenticated. 

2. The method according to claim 1, wherein said header 
created by said step of creating a header for said print job includes a 
second header if said confidentiality level is selected to be less than 
said predetermined level, said second header consists of control 
information, . , 

3. ' The method according to claim 2, wherein prior to said 
transmitting step, the method further includes the step of encrypting said 
header with a public key of the printing node. 
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4. The method according to claim 3, wherein prior to said 
transmitting step, the method further includes the step of encrypting the 
document with said public key of the printing node. 

5. The method according to claim 3, wherein after said 
transmitting step, the method further.includes the step of decrypting said 
header with a private key of the printing node to. determine said 
confidentiality level. 

'6. The method according to claim 4; wherein after analyzing 
said header and prior to said outputting the docuhient upon 
authentication of the recipient, the^method further includes the steps of 
buffering the documenf in a format encrypted by said 
• public'key of the printing node; smd * 

decrypting the documerrt* with at private key of the printing 
node upon authentication of the recipient. ' " 

7, A method for preventing a printing node from outputting a 
copy of a document until an intended recipient of the document is 
authenticated near the printing node, the rnethod comprising the steps 
of: 

creating a first header for said print job, said first header 
containing at least (i) information' to authenticate the recipient and 
(ii) control information including at least said confidentiality level; 

encrypting said first header and the document of said print 
job with a public key of the- printing mode; 

transmitting said print job to the printing node; 

storing the encrypted document in the printing node; and 

decrypting the encrypted document and queuing the 
document to be output once the recipient is authenticated. 

8. The method according to claim 7. wherein said control 
information of said header includes a public key of the recipient. 
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9. The method according to claim 1 , wherein said control 
information includes a print-only tag. 



1 0. A method for preventing a printing node from outputting a 
copy of a document until an intended recipient of the document is 
authenticated near the printing node, the method comprising the steps 

of:-,- ' - , ^ 

selecting a confidentiality level for the document, the 
document being a portion of a print job; - 
- ^ * : creating a first header for said print job, wherein 

if said confidentiality level is greater than or equal to 
' a predetermined level, said header is a first header 
• containing at least (i) information to authenticate the 
recipient and (ii) a first set of control information including 
at least said confidentiality level, and - 
- • ^ • ' if said- confidentiality level is less than said 

^ predetermined level, said" header is a second header 
containing a second set of control information; 
encrypting said print job; 
transmitting said print job to the printing node; 
decrypting said header to obtain the confidentiality level, 
wherein 

if the confidentiality level is greater than or equal to 
said predetermined level, 

temporarily storing the document, and 
outputting the document once the recipient is 
authenticated 

if the confidentiality level is less than said 
predetermined level, 

preparing the document to be output by the 
printing node. 



15 

11. A system configured to prevent a copy of a document from 
being output from a printing node until the printing node receives local 
authentication from an intended recipient of the document, the system 
comprising: 

a comnpunication link; : : -V:. . 

a, sending node coupled to. saidtcommunication link,: said 
sending node includes a storage element which contains at least 
, a public key associated withfthie printing nod.©, said sending node 
utilizes said public key to encrypt. a/header and the document 
prior to transmission to the^printing; node via; said communication 
lirik;.ancl> , : - - 

I, the printing node coupled .to said communication link, the 
printing node includes a stprage..element whiqh contains at least 
a private key associatedr with .the priming node, the printing node 
decrypts said header to obtajp-a^.confidentiality level of the 
document and prevents the; document from being outputted until 
authentication, of the recipient at the printing node if the 
confidentiality level exceeds a predetermined level. 

12. The system according to claim 11 , wherein said sending 
node is a computer. ' - / 

1 3. The system according to claim 11 , wherein said printing 
node is one of a group consisting of a printer, plotter, facsimile machine 
and display monitor. 

1 4. The system according to claim 1 1 , wherein both said 
storage element of said sending node and said storage element of said 
printing node are non-volatile memory. 

1 5. The system according to claim 1 1 , wherein said storage 
element of said printing node further contains a digital certificate being 
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at least said public key of the printing node encrypted with a private key 
of a trusted authority. . 

' - 16. The system according to claim 11, wherein said printing 
node includes internal memory to store the document until the recipient 
is authenticated at the printing node. 

17. A system configured to either immediately queue a non- 
confidential document to be output from the printing means or prevent a 
copy of a confidential document from being output from a printing 
means until the printing means receives authentication from an 
intended recipient of the document that the recipient is near the printing 
means, the system comprising: 

sending means for encrypting a print job having a first 
header and the confidential document with a public key of the 
printing node and for transmitting the encrypted first header and 
encrypted confidential document to the printing means, said 
sending means includes a first storage means for containing at 
least said public key; 

printing means for decrypting said first header, analyzing 
said first header to determine that said print job contains the 
encrypted confidential document and for preventing the 
confidential document from being printed until authentication of 
the recipient at the printing means; and 

means for communicating between said sending means 
and said printing means. 

18. The system according to claim 17. wherein said sending 
means further encrypts another print job having a second header and 
the non-confidential document with said public key of the printing node 
and transmits the encrypted second header and encrypted non- 

^ confidential document to said printing means. 
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19. The system according to claim 18, wherein the printing 
means further decrypts said second header thereby determining that 
said another print job has the non-confidential document and prepares 
the non-confidential document to be. output without authentication of the 
recipient. ... 
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